118 bootstrap procedure

.dockerignore

@@ -0,0 +1,2 @@
+/create-a-container/data/database.sqlite
+/create-a-container/certs/*

Dockerfile

@@ -0,0 +1,55 @@
+# This first layer is only to build the root filesystem. We use Proxmox's
+# minimal Debian template as it is well maintained and optimized for LXC usage.
+FROM debian:13 AS builder
+RUN apt-get update && apt-get install -y \
+    curl tar zstd
+ARG URL=http://download.proxmox.com/images/system/debian-13-standard_13.1-2_amd64.tar.zst
+RUN mkdir /rootfs && curl "$URL" | tar --zstd -x -C /rootfs
+
+# Stage 2 of the build uses the root filesystem built in stage 1. The rest of
+# the Dockerfile builds from there.
+FROM scratch
+COPY --from=builder /rootfs /
+
+# Install nginx mainline for the most up-to-date features
+RUN apt update && apt -y install curl gnupg2 ca-certificates lsb-release debian-archive-keyring \
+    && curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
+        | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \
+    && echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
+        http://nginx.org/packages/mainline/debian `lsb_release -cs` nginx" \
+        | tee /etc/apt/sources.list.d/nginx.list \
+    && echo "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
+        | tee /etc/apt/preferences.d/99nginx \
+    && cat /etc/apt/preferences.d/99nginx \
+    && apt update \
+    && apt install -y nginx ssl-cert \
+    && systemctl enable nginx
+
+# Install DNSMasq and configure it to only get it's config from our pull-config
+RUN apt update && apt -y install dnsmasq && systemctl enable dnsmasq
+RUN sed -i \
+    -e 's/^CONFIG_DIR=\(.*\)$/#CONFIG_DIR=\1/' \
+    -e 's/^#IGNORE_RESOLVCONF=\(.*\)$/IGNORE_RESOLVCONF=\1/' \
+    /etc/default/dnsmasq
+
+# Install lego for ACME certificate management. We install the build directly from
+# the lego GitHub releases since the Debian package is out of date and doesn't
+# support Cloudflare DNS validation, which we use.
+ARG LEGO_VERSION=v4.28.1
+RUN curl -fsSL "https://github.com/go-acme/lego/releases/download/${LEGO_VERSION}/lego_${LEGO_VERSION}_linux_amd64.tar.gz" \
+    | tar -xz -C /usr/local/bin lego
+
+# Install requisites: git for updating the software, make and npm for installing
+# and management.
+RUN apt update && apt -y install git make npm
+
+# Install the software. We include the .git directory so that the software can
+# update itself without replacing the entire container.
+COPY . /opt/opensource-server
+WORKDIR /opt/opensource-server
+RUN make install
+
+# Configure systemd to run properly in a container. This isn't nessary for LXC
+# in Proxmox, but is useful for testing with Docker directly.
+STOPSIGNAL SIGRTMIN+3
+ENTRYPOINT [ "/sbin/init" ]

Makefile

@@ -0,0 +1,23 @@
+.PHONY: install install-create-container install-pull-config help
+
+help:
+	@echo "opensource-server installation"
+	@echo ""
+	@echo "Available targets:"
+	@echo "  make install                - Install all components"
+	@echo "  make install-create-container - Install create-a-container web application"
+	@echo "  make install-pull-config    - Install pull-config system"
+	@echo ""
+
+install: install-create-container install-pull-config
+
+install-create-container:
+	cd create-a-container && npm install --production
+	cd create-a-container && npm run db:migrate
+	install -m644 -oroot -groot create-a-container/container-creator.service /etc/systemd/system/container-creator.service
+	systemctl daemon-reload || true
+	systemctl enable container-creator.service
+	systemctl start container-creator.service || true
+
+install-pull-config:
+	cd pull-config && bash install.sh

README.md

@@ -1,165 +1,116 @@
-# opensource-mieweb
+# opensource-server
 
-Configuration storage for the [opensource.mieweb.org](https://opensource.mieweb.org:8006) Proxmox project.
+Infrastructure management platform for automated LXC container hosting with Proxmox VE.
 
-To learn everything there is about our cluster, see our documentation at [https://opensource.mieweb.org/docs/intro](https://opensource.mieweb.org/docs/intro).
+This repository provides a complete self-service container management system with web interface, automated configuration distribution, and integrated DNS/reverse proxy services.
 
-This repository contains configuration files and scripts for managing a Proxmox-based container hosting environment, including automated DNS, NGINX reverse proxy, dynamic port mapping, and the Proxmox LaunchPad GitHub Action for automated container deployment.
+## Project Components
 
-## Cluster Graph
+- [`create-a-container/`](create-a-container/README.md) - Web application for container lifecycle management
+- [`pull-config/`](pull-config/README.md) - Automated configuration distribution system for nginx and dnsmasq
+- [`mie-opensource-landing/`](mie-opensource-landing/README.md) - Landing page and documentation site
+- [`packer/`](packer/README.md) - LXC container template creation
+- [`ci-cd-automation/`](ci-cd-automation/README.md) - Proxmox API automation scripts
+- [`LDAP/`](LDAP/README.md) - Centralized authentication infrastructure
+- [`Wazuh/`](Wazuh/README.md) - Security monitoring and threat detection
 
-```mermaid
-
-graph TD
-    %% Repository Structure
-    REPO[opensource-mieweb Repository]
-
-    %% All Main Folders
-    REPO --> CICD[ci-cd-automation]
-    REPO --> CC[container-creation]
-    REPO --> DNS[dnsmasq-service]
-    REPO --> GW[gateway]
-    REPO --> LDAP[LDAP]
-    REPO --> NGINX[nginx-reverse-proxy]
-    REPO --> PL[proxmox-launchpad]
-
-    %% Core Workflow Connections
-    CC --> |creates| CONTAINER[LXC Container]
-    CONTAINER --> |Updates Container Map| NGINX
-    CONTAINER --> |updates| DNS
-    CONTAINER --> | Updates IP Tables| GW
-    CONTAINER --> |authenticates via| LDAP
-
-    %% CI/CD Operations
-    CICD --> |manages| CONTAINER
-    PL --> |automates| CC
-    PL --> |uses| CICD
-
-    %% User Access Flow
-    USER[User Access] --> DNS
-    DNS --> NGINX
-    NGINX --> CONTAINER
-
-    %% Wazuh Integration
-    CONTAINER --> |Wazuh Agent| WAGENT[Wazuh Agent]
-    WAGENT --> |reports to| WMANAGER[Wazuh Manager]
-    WMANAGER --> |sends data to| WINDEXER[Wazuh Indexer]
-
-    %% Styling
-    classDef folder fill:#1976d2,stroke:#e3f2fd,stroke-width:2px,color:#ffffff
-    classDef system fill:#689f38,stroke:#f1f8e9,stroke-width:2px,color:#ffffff
-    classDef wazuh fill:#fbc02d,stroke:#fffde7,stroke-width:2px,color:#000000
-    classDef user fill:#f57c00,stroke:#fff3e0,stroke-width:2px,color:#ffffff
-
-    class CICD,CC,DNS,GW,LDAP,NGINX,PL folder
-    class CONTAINER system
-    class WAGENT,WMANAGER,WINDEXER wazuh
-    class USER user
-```
-
-### Core Infrastructure
-
-- [`dnsmasq-service/`](dnsmasq-service/):  
-  Contains Dnsmasq configuration for DHCP and DNS services, including wildcard routing for the reverse proxy and container network management.
-
-- [`nginx-reverse-proxy/`](nginx-reverse-proxy/):  
-  Houses NGINX configuration files for the reverse proxy setup, including JavaScript modules for dynamic backend resolution and SSL certificate management.
-
-- [`gateway/`](gateway/):  
-  Gateway configuration and management scripts for network routing and access control between the internal container network and external traffic. Also contains daily clean up scripts for the cluster.
-
-### Container Management
-
-- [`container-creation/`](container-creation/):  
-  Contains comprehensive scripts for LXC container lifecycle management, including creation, LDAP configuration, service deployment, and registration with the proxy infrastructure.
-
-- [`ci-cd-automation/`](ci-cd-automation/):  
-  Automation scripts for continuous integration and deployment workflows, including container existence checks, updates, and cleanup operations with helper utilities.
-
-### Authentication & Directory Services
+## Installation
 
-- [`LDAP/`](LDAP/):  
-  Contains LDAP authentication infrastructure including a custom Node.js LDAP server that bridges database user management with LDAP protocols, and automated LDAP client configuration tools for seamless container authentication integration. LDAP Server configured to reference the [Proxmox VE Users @pve realm](https://pve.proxmox.com/wiki/User_Management) with optional [Push Notification 2FA](https://github.com/mieweb/mieweb_auth_app)
+### Recommended: Proxmox 9+ OCI Container (Preferred)
 
-### Security
+With Proxmox 9's native OCI container support, the easiest installation method is to deploy directly from GitHub Container Registry:
 
-- [`Wazuh/`](Wazuh/):
-  We utilize Wazuh, an opensource security management platform, to provide vulnerability detection and threat hunting services to our cluster. Our custom decoders and rules revolve mainly around mitigating SSH/PAM bruteforce attacks in both our hypervisors and individual containers.
-
-### GitHub Action Integration
-
-- [`proxmox-launchpad/`](proxmox-launchpad/):  
-  The Proxmox LaunchPad GitHub Action for automated container deployment directly from GitHub repositories, supporting both single and multi-component applications.
-
-- [`LDAPServer`](https://github.com/mieweb/LDAPServer):
-  LDAP Server configured to reference the [Proxmox VE Users @pve realm](https://pve.proxmox.com/wiki/User_Management) with optional [Push Notification 2FA](https://github.com/mieweb/mieweb_auth_app)
-
-## Create a Container
-
-If you have an account in the [opensource-mieweb](https://opensource.mieweb.org:8006) cluster, you can create a container in three ways:
-- Use the Web GUI here: [create-a-container](https://create-a-container.opensource.mieweb.org/)
-- Use the Command Line: ssh create-container@opensource.mieweb.org (mie123!)
-- Use the Proxmox LaunchPad Github Action to automatically provision, update, and delete containers for you: [Proxmox LaunchPad](#proxmox-launchpad)
-
-## MIE Opensource Landing
+```bash
+# Pull and run the container from GHCR
+pct create <VMID> ghcr.io/mieweb/opensource-server:latest \
+  --hostname opensource-server \
+  --net0 name=eth0,bridge=vmbr0,ip=dhcp \
+  --features nesting=1 \
+  --privileged 1 \
+  --onboot 1
+```
 
-Contains all the source code for [https://opensource.mieweb.org's](https://opensource.mieweb.org) landing page, built with React + Docusaurus.
-- Documentation is located at [https://opensource.mieweb.org/docs/intro](https://opensource.mieweb.org/docs/intro).
+> **Note**: Adjust the VMID, network configuration, and other parameters according to your Proxmox environment.
 
-## How It Works
+### Alternative: Docker Container
 
-- **DNS**: All `*.opensource.mieweb.com` requests are routed to the NGINX proxy via Dnsmasq, providing automatic subdomain resolution for containers.
-- **Reverse Proxy**: NGINX uses JavaScript modules to dynamically resolve backend IP addresses and ports for each subdomain, based on the container registry in `/etc/nginx/port_map.json`.
-- **Container Lifecycle**: When containers start, Proxmox hooks automatically:
-  - Wait for DHCP lease assignment
-  - Allocate available HTTP and SSH ports
-  - Update the NGINX port mapping and reload configuration
-  - Configure iptables rules for SSH port forwarding
-- **GitHub Integration**: The Proxmox LaunchPad action automates the entire process from repository push to live deployment, including dependency installation, service configuration, and application startup.
-- **CI/CD Pipeline**: Automated scripts used by [Proxmox LaunchPad](#proxmox-launchpad) to handle container updates, existence checks, and cleanup operations to maintain a clean and efficient hosting environment.
-- **LDAP Server**: All LXC Container Authentication is handled by a centralized LDAP server housed in the cluster. Each Container is configured with SSSD, which communicates with the LDAP server to verify/authenitcate user credentials. This approach is more secure than housing credentials locally.
-- **Wazuh**: Both containers and hypervisors are Wazuh Agents, and send all logs to our centralized Wazuh Manager, which matches each log against a large database of decoders and rules. If certain rules are triggered, active response mechanisms respond by triggering certain commands, a common one being a firewall drop of all packets originating from a certain source IP.
+See the [`Dockerfile`](Dockerfile) in the repository root for building and running the container with Docker:
 
+```bash
+docker build -t opensource-server .
+docker run -d --privileged \
+  -p 443:443 \
+  -p 53:53/udp \
+  --name opensource-server \
+  opensource-server:latest
+```
 
-## Proxmox LaunchPad
+### Manual Installation (Legacy)
 
-The Proxmox LaunchPad is a powerful GitHub Action that automatically creates, manages, and deploys LXC containers on the Proxmox cluster based on your repository's branch activity. It supports:
+For a traditional installation on a Debian-based system, see the [`Dockerfile`](Dockerfile) for the complete installation steps and dependencies. The Dockerfile serves as the canonical reference for system setup and configuration.
 
-- **Automatic Container Creation**: Creates new containers when branches are created or pushed to
-- **Multi-Component Deployments**: Supports applications with multiple services (e.g., frontend + backend)
-- **Service Integration**: Automatically installs and configures services like MongoDB, Docker, Redis, PostgreSQL, and more
-- **Branch-Based Environments**: Each branch gets its own isolated container environment
-- **Automatic Cleanup**: Deletes containers when branches are deleted (e.g., after PR merges)
+Key steps include:
+1. Install nginx (mainline from nginx's repo preferred)
+2. Install dnsmasq with proper configuration
+3. Clone repository and run `make install`
 
-The action integrates with the existing infrastructure to provide automatic DNS registration, reverse proxy configuration, and port mapping for seamless access to deployed applications.
+For detailed configuration and usage instructions, refer to the individual component READMEs linked above.
 
-## Opensource Cluster Usage
+## Architecture Overview
 
-### For Infrastructure Management
+The system provides automated container hosting through three main components:
 
-1. **Clone this repository** to your Proxmox host or configuration management system.
-2. **Deploy the configuration files** to their respective locations on your infrastructure.
-3. **Ensure dependencies**:
-   - Proxmox VE with LXC container support
-   - NGINX with the `ngx_http_js_module`
-   - Dnsmasq for DNS and DHCP services
-4. **Set up LDAP authentication** using the provided LDAP server and client configuration tools.
-5. **Configure container templates** and network settings according to your environment.
-6. **Register new containers** using the provided hook scripts for automatic proxy and DNS integration.
+1. **Container Management** (`create-a-container/`)
+   - Web-based interface for container lifecycle operations
+   - Proxmox VE API integration for LXC container provisioning
+   - Site-based organization with hierarchical node/container relationships
+   - Service port mapping and DNS configuration
 
-### For GitHub Action Deployment
+2. **Configuration Distribution** (`pull-config/`)
+   - Automated pulling of nginx and dnsmasq configurations
+   - ETag-based change detection for efficient updates
+   - Validation and automatic rollback on errors
+   - Multi-instance support via run-parts pattern
 
-1. **Add the Proxmox LaunchPad action** to your repository's workflow file.
-2. **Configure repository secrets** for Proxmox credentials and optionally a GitHub PAT.
-3. **Set up trigger events** for push, create, and delete operations in your workflow.
-4. **Configure deployment properties** in your workflow file for automatic application deployment.
-5. **Push to your repository** and watch as containers are automatically created and your application is deployed.
+3. **Infrastructure Services**
+   - nginx reverse proxy with SSL/TLS termination
+   - dnsmasq for DHCP and DNS services
+   - LDAP authentication for centralized user management
+   - Wazuh security monitoring and threat detection
 
-See the [`proxmox-launchpad/README.md`](proxmox-launchpad/README.md) for detailed setup instructions and configuration options.
+### Data Flow
 
-## Optional Submodules
-- **Push Notification 2FA** - MIE Auth https://github.com/mieweb/mieweb_auth_app
+```mermaid
+graph TD
+    User[User] --> WebUI[create-a-container Web UI]
+    WebUI --> DB[(SQLite Database)]
+    WebUI --> PVE[Proxmox VE API]
+    PVE --> LXC[LXC Container]
+
+    Cron[Cron Job] --> PullConfig[pull-config]
+    PullConfig --> WebUI
+    PullConfig --> Nginx[nginx config]
+    PullConfig --> Dnsmasq[dnsmasq config]
+
+    Client[Client Request] --> Nginx
+    Nginx --> LXC
+
+    DB --> Sites[Sites]
+    Sites --> Nodes[Nodes]
+    Nodes --> Containers[Containers]
+    Containers --> Services[Services]
+
+    classDef user fill:#f57c00,stroke:#fff3e0,stroke-width:2px,color:#ffffff
+    classDef app fill:#1976d2,stroke:#e3f2fd,stroke-width:2px,color:#ffffff
+    classDef infra fill:#689f38,stroke:#f1f8e9,stroke-width:2px,color:#ffffff
+    classDef data fill:#7b1fa2,stroke:#f3e5f5,stroke-width:2px,color:#ffffff
+
+    class User,Client user
+    class WebUI,PullConfig app
+    class PVE,LXC,Nginx,Dnsmasq,Cron infra
+    class DB,Sites,Nodes,Containers,Services data
+```
 
 ---
 
-Contributors: Carter Myers, Maxwell Klema, and Anisha Pant
+Contributors: Carter Myers, Maxwell Klema, Anisha Pant, and Robert Gingras